01-AWS常见命令
所有变量注释
| 变量名称 | 变量解释 |
|---|---|
| UID | AWS账户ID |
| 地域ID | 资源所属地域 |
| 集群名称 | EKS集群创建的名称 |
获取kubeconfig
1
2
# 获取 Kubectl config:
aws eks --region 地域ID update-kubeconfig --name 集群名称
更新kubeconfig
1
2
3
4
5
6
aws eks update-kubeconfig --region 地域ID --name 集群名称
# 默认会放入当前家目录: ~/.kube/config
# 如果要放入指定目录,加参数
--kubeconfig /path/to/path/config_***
创建 IAM OIDC 提供者
IAM OIDC提供者作用:
通过 OIDC 提供者,可以使用类似 Google、GitHub、企业身份提供商等**外部系统的认证**方式来访问 AWS 资源。
它通常与 IAM Role 和 STS(Security Token Service) 结合使用,提供更灵活的权限和身份管理。
创建策略
policy-name: EKS_EFS_CSI_Driver_Policy
策略内容: iam-policy.json
iam-policy.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"ec2:DescribeAvailabilityZones"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticfilesystem:CreateAccessPoint"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestTag/efs.csi.aws.com/cluster": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticfilesystem:TagResource"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:ResourceTag/efs.csi.aws.com/cluster": "true"
}
}
},
{
"Effect": "Allow",
"Action": "elasticfilesystem:DeleteAccessPoint",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/efs.csi.aws.com/cluster": "true"
}
}
}
]
}
创建 Kubernetes 服务账户
1
eksctl create iamserviceaccount --region 地域ID --cluster 集群名称 --namespace kube-system --name efs-csi-controller-sa --attach-policy-arn arn:aws:iam::<UID>:policy/EKS_EFS_CSI_Driver_Policy --approve
确定集群的 OIDC 提供商 URL
1
2
3
4
aws eks describe-cluster --name 集群名称 --query "cluster.identity.oidc.issuer" --output text --region 地域ID
# 返回样例:
https://oidc.eks.地域ID.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE
角色相关
创建角色并附加权限
角色名: EKS_EFS_CSI_DriverRole
角色附加权限: trust-policy.json
1
aws iam create-role --role-name EKS_EFS_CSI_DriverRole --assume-role-policy-document file://"trust-policy.json"
trust-policy.json
注: 需要替换下面的一些变量
1.UID
2.OIDC 提供商 URL
json中 主要有两个地方修改: Federated、StringEquals
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::335581776782:oidc.eks.地域ID.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.地域ID.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:kube-system:efs-csi-controller-sa"
}
}
}
]
}
列出当前角色的策略
1
aws iam list-attached-role-policies --role-name EKS_EFS_CSI_DriverRole
查看当前角色的策略
1
aws iam get-role --role-name EKS_EFS_CSI_DriverRole --query 'Role.AssumeRolePolicyDocument'
清除角色绑定的策略
1
aws iam detach-role-policy --role-name EKS_EFS_CSI_DriverRole --policy-arn arn:aws:iam::<UID>:policy/EKS_EFS_CSI_Driver_Policy
更新角色的托管策略
1
aws iam update-assume-role-policy --role-name EKS_EFS_CSI_DriverRole --policy-document file://"trust-policy.json"
注: trust-policy.json 可以看上面的例子
将 IAM 策略附加到角色
1
aws iam attach-role-policy --policy-arn arn:aws:iam::<UID>:policy/EKS_EFS_CSI_Driver_Policy --role-name EKS_EFS_CSI_DriverRole
列出集群的已安装插件
1
aws eks list-addons --cluster-name <your-cluster-name>
查看插件的详细版本信息/状态
1
aws eks describe-addon --cluster-name <your-cluster-name> --addon-name <addon-name>
运行以下命令列出所有支持的插件版本
1
2
3
4
aws eks describe-addon-versions --kubernetes-version <cluster-version>
可以指定插件名称:
aws eks describe-addon-versions --kubernetes-version <cluster-version> --addon-name <addon-name>
##查看指定集群的指定插件默认的版本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
aws eks describe-addon-versions --kubernetes-version 1.25 --addon-name coredns --query 'addons[].addonVersions[].{Version: addonVersion, Defaultversion: compatibilities[0].defaultVersion}' --output table
------------------------------------------
| DescribeAddonVersions |
+-----------------+----------------------+
| Defaultversion | Version |
+-----------------+----------------------+
| False | v1.9.3-eksbuild.22 |
| False | v1.9.3-eksbuild.21 |
| False | v1.9.3-eksbuild.19 |
| False | v1.9.3-eksbuild.17 |
| False | v1.9.3-eksbuild.15 |
| False | v1.9.3-eksbuild.11 |
| False | v1.9.3-eksbuild.10 |
| False | v1.9.3-eksbuild.9 |
| True | v1.9.3-eksbuild.7 |
| False | v1.9.3-eksbuild.6 |
| False | v1.9.3-eksbuild.5 |
| False | v1.9.3-eksbuild.3 |
| False | v1.9.3-eksbuild.2 |
| False | v1.8.7-eksbuild.21 |
| False | v1.8.7-eksbuild.20 |
| False | v1.8.7-eksbuild.18 |
| False | v1.8.7-eksbuild.16 |
| False | v1.8.7-eksbuild.10 |
| False | v1.8.7-eksbuild.9 |
| False | v1.8.7-eksbuild.8 |
| False | v1.8.7-eksbuild.7 |
| False | v1.8.7-eksbuild.6 |
| False | v1.8.7-eksbuild.5 |
| False | v1.8.7-eksbuild.4 |
| False | v1.8.7-eksbuild.3 |
| False | v1.8.4-eksbuild.2 |
+-----------------+----------------------+
用户操作
查看用户权限策略
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 查看用户的附加策略
aws iam list-attached-user-policies --user-name <username>
# 查看用户的内联策略:
aws iam list-user-policies --user-name <username>
# 查看用户的组: 用户可能属于一个或多个组,组也可以有附加的策略
aws iam list-groups-for-user --user-name <username>
# 查看组的附加策略
aws iam list-attached-group-policies --group-name <groupname>
# 查看组的内联策略
aws iam list-group-policies --group-name <groupname>
更新用户权限策略
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# 附加管理策略到用户
aws iam attach-user-policy --user-name <username> --policy-arn <policy-arn>
# 分离管理策略从用户
aws iam detach-user-policy --user-name <username> --policy-arn <policy-arn>
# 添加内联策略到用户
aws iam put-user-policy --user-name <username> --policy-name <policy-name> --policy-document file://<policy-document.json>
policy-document.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example-bucket/*"
}
]
}
# 删除用户的内联策略
aws iam delete-user-policy --user-name <username> --policy-name <policy-name>
权限策略
查看策略内容
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# 列出所有策略
aws iam list-policies
# 获取策略详情: get-policy
aws iam get-policy --policy-arn <policy-arn>
{
"Policy": {
"PolicyName": "<PolicyName>",
"PolicyId": "ANPA5OB****2EK52YJTG",
"Arn": "arn:aws:iam::******:policy/<PolicyName>",
"Path": "/",
"DefaultVersionId": "v8",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2024-12-27T01:59:03+00:00",
"UpdateDate": "2025-02-25T02:16:01+00:00",
"Tags": []
}
}
# 获取策略文档: get-policy-version
aws iam get-policy-version --policy-arn <policy-arn> --version-id <version-id>
{
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"eks:*",
"elasticfilesystem:*",
"kms:ListAliases"
],
"Resource": "*"
},
{
}
]
{
}
}
更新策略
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# 创建策略
aws iam create-policy --policy-name <policy-name> --policy-document file://<policy-document.json> --description "<description>"
policy-document.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:ListCommands",
"Resource": "*"
}
]
}
{
"Policy": {
"PolicyName": "SSMFULLPolicy",
"PolicyId": "ANPA5OB3IHIWWFXZTWXPI",
"Arn": "arn:aws:iam::923542239789:policy/SSMFULLPolicy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2025-03-04T16:27:35+00:00",
"UpdateDate": "2025-03-04T16:27:35+00:00"
}
}
# 删除策略: delete-policy
aws iam delete-policy --policy-arn <policy-arn>
# 创建策略版本: create-policy-version
aws iam create-policy-version \
--policy-arn <policy-arn> \
--policy-document file://<policy-document.json> \
--set-as-default
# 删除策略版本: delete-policy-version
aws iam delete-policy-version --policy-arn <policy-arn> --version-id <version-id>
# 附加 Policy 到 User
aws iam attach-user-policy --user-name <user-name> --policy-arn <policy-arn>
# 从用户分离管理策略: detach-user-policy
aws iam detach-user-policy --user-name <username> --policy-arn <policy-arn>
# 附加管理策略到组: attach-group-policy
aws iam attach-group-policy --group-name <groupname> --policy-arn <policy-arn>
# 从组分离管理策略: detach-group-policy
aws iam detach-group-policy --group-name <groupname> --policy-arn <policy-arn>
# 附加管理策略到角色: attach-role-policy
aws iam attach-role-policy --role-name <rolename> --policy-arn <policy-arn>
# 分离管理策略从角色: detach-role-policy
aws iam detach-role-policy --role-name <rolename> --policy-arn <policy-arn>
实例配置文件
1
2
3
4
5
6
7
8
arn:aws:iam::***:instance-profile/eks-50cab053-76bd-2f2c-5f09-054c96b101b1 是一个 IAM 实例配置文件(Instance Profile) 的 ARN,而不是直接的 IAM 角色
# 查看实例配置文件中的 IAM 角色
aws iam get-instance-profile \
--instance-profile-name eks-50cab053-76bd-2f2c-5f09-054c96b101b1 \
--query "InstanceProfile.Roles[0].RoleName"
NodeInstanceRole
复制公钥至EC2
1
2
3
4
aws ec2-instance-connect send-ssh-public-key --region <region-id> --availability-zone <availability-zone> --instance-id <inst_id> --instance-os-user <user> --ssh-public-key file://~/.ssh/id_rsa.pub
比如
aws ec2-instance-connect send-ssh-public-key --region ap-southeast-1 --availability-zone ap-southeast-1a --instance-id i-0a2f16beac000eb8d --instance-os-user root --ssh-public-key file://~/.ssh/id_rsa.pub
本文由作者按照
CC BY 4.0
进行授权